Catastrophe modeling platform expands into cyber risk

A hurricane has the power to flatten homes and debilitate communities for months. A hacker can put into motion a quieter catastrophe that can also result in huge amounts of damage for a public or private entity, which is why the catastrophe risk modeling company RMS launched a probabilistic model dedicated to analyzing cyber risk back in May. According to RMS, cyber doesn’t behave like other perils and its carrier, reinsurance and broker clients have had difficulties allocating risk capital with confidence, which is where the new modeling platform comes into play.

“Our models before have been deterministic, so we really feel like we’re setting a market standard,” explained Kathleen Maloney, head of US cyber solutions for RMS. “We’re one of the first ones to do this, so we’re looking at the probability in IT scenarios of what can happen based on different classes of business and different exposures.”

The new model helps to assess losses for different cyber scenarios, enabling insurers to allocate risk capital and model users to input their loss experiences and understand their own risk. In its 2018 Cyber Risk Outlook report, RMS cited data breaches, contagious malware, and financial theft as common trends that continue to be a major source of cyberattacks, though other scenarios that require expanded insurance coverage are also entering the fray.

“Usually when people think of cyber, they’re thinking of an affirmative cyber policy,” said Maloney. “But, we’re seeing more and more now where this could become a property coverage, so if you don’t have a property damage exclusion in there, there could be a situation where a hacker might get in and cause some sort of a breach or some sort of cyber incident,” causing damage to the physical hardware.

RMS has collected information on 62,000 incidents in its database, a leap from the 10,000 incidents it originally had two years ago, and expanded its team to keep a constant look-out for cyber events, which have the potential to affect any entity today – from a large ticketing company to a public library in small town America.

“Hackers are getting more sophisticated [about] how they’re actually going to get into the network and I think they do their research a lot more to figure out how much information is on a certain network or a certain type of business,” said Maloney. “Just look at Equifax – you had pretty much every single adult in the United States’ information taken, which is pretty scary.”

In fact, the Equifax breach exposed 143 million US records containing customer information, while 15.2 million records of British citizens and 8,000 Canadian records were also impacted, according to the Cyber Risk Outlook report.

Even with the ever-present threat of cyber, many companies still leave themselves open for easy hacking. Maloney was an underwriter for 10 years before joining RMS earlier in 2018, and saw her fair share of exposures.

“A lot of people don’t do patching correctly, so if you’re not implementing those critical patches right away, that’s a vulnerability,” she told Insurance Business, adding that the other common exposure is us. “Humans are still a big factor. There are still a decent amount of people that click on links and don’t recognize when they’re being phished. It’s getting better – a lot of companies are investing a lot of resources into doing security awareness training – but I still think people are clicking on. Sometimes, they have a phishing campaign where click rates are 40%.”